Categories
WordPress

The TimThumb Saga

Last week there was a serious flaw found in the code behind TimThumb, an image re-sizing library commonly used in premium themes.* Because the code is commonly embedded in themes it’s not easy to discretely update like it would be if the code were a plugin, and even when a theme is updated people are hesitant to update because they often customize theme code rather than making child themes, so if they were to overwrite their theme with a new version they’d lose their modifications. That, combined with the severity of the flaw, means that this is one of the more serious issues in the WordPress ecosystem in a while, even more than normal because it wasn’t in core.

It could have gone a lot of ways, but the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0, a collaboration that exemplifies Open Source at its finest. An updated plugin should be in the directory shortly.

It also illustrated the original vision I had behind VaultPress. In addition to reporting early and emailing customers with vulnerable code, the following morning they had devised a way to go in and surgically correct vulnerable code on over seven hundred affected websites. This fixing-problems-while-you-sleep delighted users and is exactly the kind of problem I hoped VaultPress would solve for people and it underscores the core value of the service. If you’re not using VaultPress for your most important websites yet, you should.

* I originally had a long rant here, but here’s the 13-word version: I’ve seen no correlation between how much something costs and its code quality. This is getting better as more people become familiar with the coding standards of core, and PHP in general, but there is still a long way to go. If you want to avoid this in your own code, check out Theme Check and Log Deprecated Notices to start. If you’re looking for code to base your own theme on, it’s best to start with something like 2010 or 2011.

Categories
WordPress

Fifty Million

As noted on TNW and Adweek, yesterday we passed over 50,000,000 websites, blogs, portfolios, stores, pet projects, and of course cat websites powered by WordPress. I had the good fortune to celebrate this milestone with a few hundred WordPressers at WordCamp Montreal yesterday. (During my Town Hall I wasn’t aware we had passed the number until someone shouted from the audience.) It’s always fun to pass a big round number and over the weekend many libations were consumed with friends old and new, but ultimately the press has always been more concerned with those top-line numbers than we have in the WordPress community. More sites being created is a good benchmark for our adoption, but ultimately WordPress matters not for the blogs it creates but for the lives it affects. We have some huge opportunities this year, particularly around making our software more accessible to the next 50 or 500 million people who want to have a voice online, something I hope to talk more about at WordCamp San Francisco next month.

Categories
WordPress

Blogging Drift

The New York Times has a pretty prominent article today called Blogs Wane as the Young Drift to Sites Like Twitter. The title was probably written by an editor, not the author, because as soon as the article gets past the two token teenagers who tumble and Facebook instead of blogging, the stats show all the major blogging services growing — even Blogger whose global “unique visitors rose 9 percent, to 323 million,” meaning it grew about 6 Foursquares last year alone. (In the same timeframe WordPress.com grew about 80 million uniques according to Quantcast.)

Blogging has legs — it’s been growing now for more than a decade, but it’s not a “new thing” anymore. Underneath the data in the article there’s an interesting super-trend that the Times misses: people of all ages are becoming more and more comfortable publishing online. If you’re reading this blog you probably know the thrill of posting and getting feedback is addictive, and once you have a taste of that it’s hard to go back. You rode a bike before you drove a car, and both opened up your horizons in a way you hadn’t imagined before. That’s why blogging just won’t quit no matter how many times it’s declared dead.

Blogging (with WordPress) is the natural evolution of the lighter publishing methods — at some point you’ll have more to say than fits in 140 characters, is too important to put in Facebook’s generic chrome, or you’ve matured to the point you want more flexibility and control around your words and ideas. (As The Daily What did in their recent switch from Tumblr to WordPress.) You don’t stop using the lighter method, you just complement it — different mediums afford different messages.

Read more: Scott Rosenberg on “Another misleading story”; Mark Evans “Why I Still Love Blogging.”

Categories
Automattic Essays Open Source WordPress

A New Home for the WordPress Trademark

As I write this, I’m on my way to Seaside, Florida to see 60+ Automatticians at our yearly meetup. More than sixty… that number astounds me! Automattic has grown so far beyond what I originally imagined and every day I’m amazed by my colleagues and the things they create. Today we’re growing in another way: Automattic has transferred the WordPress trademark to the WordPress Foundation, the non-profit dedicated to promoting and ensuring access to WordPress and related open source projects in perpetuity. This means that the most central piece of WordPress’s identity, its name, is now fully independent from any company.

This is a really big deal.

I want to recognize and applaud the courage and foresight of Automattic’s board, investors, and legal counsel who made this possible: Mike Hirshland, Phil Black, Tony Conrad, Toni Schneider, Gunderson Dettmer. I’d also like to thank Matt Bartus of Dorsey & Whitney for their counsel on the Foundation side. The WordPress brand has grown immeasurably in the past 5 years and it’s not often you see a for-profit company donate one of their most valuable core assets and give up control. However, I know in my heart that this is the right thing for the entire WordPress community, and they followed me on that. It wasn’t easy, but things worth doing seldom are.

When Automattic registered the WordPress trademark back in 2006, we were a small startup of a few people: a business founded largely to enable us to work on WordPress full-time instead of hacking around our day jobs. A lot has changed since then — somehow along the way we ended up with an audience of a quarter billion people — but a lot has stayed the same. We’re still a group of people in love with WordPress and free/open source software and we’re lucky to have figured out a way to contribute to the world and flourish as a business while doing it.

Automattic might not always be under my influence, so from the beginning I envisioned a structure where for-profit, non-profit, and not-just-for-profit could coexist and balance each other out. It’s important for me to know that WordPress will be protected and that the brand will continue to be a beacon of open source freedom regardless of whether any company is as benevolent as Automattic has been thus far. It’s important to me to know that we’ve done the right thing. Hopefully, it’s important to you, too, and you’ll continue your support of WordPress, the WordPress Foundation, and Automattic’s products and services. We couldn’t do it without you!

Categories
Switchers

Syn-thesis 3: Switchers

The biggest after-effect of the Thesis license violation episode seems to be raising people’s awareness of alternatives that are both fully GPL and have better functionally too. One theme that seems to be picking up a ton of new users is Genesis. We helped Laughing Squid and Paul Stamatiou make the switch, but Chris Brogan joined the party completely independently. (All formerly in the Thesis showcase. Scobleizer switched a while back.) I’m excited about this because I think Genesis is a better theme, particularly for its advanced support of WordPress functionality like child themes. (Child themes are the only way you should build your site on top of a framework.)

Even though Thesis has done the bare minimum not to be sued for its license violation and the code it copy/pasted from WordPress, lots of folks including myself still have a bad taste in their mouths from the episode, since there was no apology or contrition shown (like a donation to the WordPress Foundation, which would be a drop in the bucket compared to the millions Thesis made while breaking the GPL). But I think it’s best to focus on the positive.

There is a linkbait from a Thesis affiliate going around asking if I favor certain commercial themes — absolutely yes! Is that a controversial question? Themes WordPress lists on its commercial page go above and beyond bare compliance with the GPL and are full members of the community, sometimes even becoming active in core development like WooThemes has done. As a business, I would feel a lot more comfortable building my online presence on a real enterprise like Woo, StudioPress, iThemes, and many more rather than a one-man-against-the-world operation, regardless of how good its marketing is, or how many affiliates it has.

For Automattic’s part, our theme team has been taking the opportunity to update our blogs stuck on Cutline and Pressrow, which were abandoned by Chris years ago and don’t support any of WordPress’s new features. The first iteration of this is Coraline which is aesthetically is similar to Cutline but under the hood is way better, with multiple layout and sidebar options, color schemes, custom background, per-post custom headers, gallery and asides support, and a few other bonuses. (Unfortunately, the switch had a bug that broke widgets for some sites, but that’s being fixed. We’ll avoid that when switching Pressrow.) A lot of this was kicked off before DIYThemes dodged litigation, but it’s important to continue because we’re building better themes for users who honestly shouldn’t worry about this stuff, they should just have theme that’s current, flexible, functional, and beautiful.

Categories
WordPress

Micro-blogging vs Mega-blogging

I don’t think “mega-blogging” is actually a thing, I just made it up to make the title sound more dramatic. But if mega-blogging were a thing, you would do it with WordPress. Micro-blogging is a thing, and a lot of people do it with Twitter.

TechCrunch drops in this fray with an article comparing the comScore numbers of WordPress.com and Twitter.com, which show an accelerating growth for WP.com and flattening for Twitter. I’ll talk about the data itself later, but first wanted to point out a point many overlook when trying to create a battle between the mediums.

New forms of social media, including micro-blogging, are complementary to blogging.

One of the many uses of Twitter is to link to and promote your blog posts. (And other people’s blog posts.) As we grow, so do they, and vice versa. I blog when I have something longer to say, like this. I tweet when it’s the lowest friction way to talk to my friends, or get distribution for something longer I did somewhere else.

It’s not really a “versus,” it’s an “and.”

Whether the Twitter team intended it or not, they’ve built a killer and highly addictive reader platform with dozens of interesting UIs on top of it.

Features like WP.me, post by email, Twitter publicize, RSS Cloud, P2, email subscriptions, and more stuff in the cooker is trying to tie these things together more because people who do one are highly likely to do another.

As for the accuracy of underlying comScore data I would say they probably are precise but not accurate, meaning that whatever flaws they have in collection now, for example for WP.com they don’t count the custom domains or RSS readers and for Twitter they don’t count API usage or desktop clients, they’re at least self-consistent in how they do things over time. Some months they show us flat our internal stats showed growth, and vice versa. Ultimately it’s not worth anyone outside of comScore arguing how they collect their data, it’s better just to use it as one reference point alongside Quantcast (my fav), Alexa, Google Trends, Nielsen…

How tweets get imported into a blog is still an open question for me. I’ve seen lots of ways people have attempted it but when a blog becomes an activity stream it becomes a weak version of all the things it aggregates, less than the sum of its parts, because of the loss of context.

Categories
Essays WordPress

Sun, Oracle, WordPress, and MySQL

It’s magically beautiful outside in San Francisco today, but instead everyone is talking about the $7.4 billion acquisition of Sun Microsystems by Oracle. (More on Techmeme.) A number of people have contacted me with questions to the effect of “Oracle is evil, they now own MySQL, WordPress runs on MySQL, OMG! What’s next?” In addition to the millions of WordPress blogs all using MySQL, all of the projects Automattic contributes to are MySQL-based and we run more than 250 servers dedicated to MySQL.

Last Thursday at The Next Web I talked about how we need an Internet Bill of Rights to protect our data and the countless hours we pour into complex online services, such as Facebook and Last.fm, and that the foundations for this were laid down 20 years ago by Richard Stallman and the GPL.

Today our servers are running various versions of MySQL, tomorrow they’ll be running the same thing, and if need be ten years from now they can run the exact some software. Because of the GPL every WordPress user in the world is protected — we’re not beholden to any one company, only to what works best for us. Today that’s MySQL, tomorrow that’s MySQL, a year from now we’ll see.

Most importantly whatever happens will happen on our timeline. That’s the definition of Freedom.

Here are few other reasons not to be worried, and a bonus at the end.

  1. Oracle bought Innobase, makers of the InnoDB engine that most large users deploy as their main storage engine, in October 2005. The sky has not yet fallen.
  2. As a company Automattic has never really needed the support services that MySQL provides and even if we did there are plenty of third parties also providing support.
  3. Most of the useful updates for MySQL have been coming from outside, to quote Jeremy Zawodny:

    The single most interesting and surprising thing to me is both the number and necessity of third-party patches for enhancing various aspects of MySQL and InnoDB. Companies like Percona, Google, Proven Scaling, Prime Base Technologies, and Open Query are all doing so in one way or another.

    On the one hand, it’s excellent validation of the Open Source model. Thanks to reasonable licensing, companies other than Sun/MySQL are able to enhance and fix the software and give their changes back to the world.

  4. In terms of innovation, the most interesting developments have been from outside as well, in projects like Drizzle. (I would not be surprised if this moment is for Drizzle what Movable Type changing their licensing was for WordPress, even though in this case they’re both Open Source.)
  5. I’ve met a number of people at Sun who are incredibly smart, and if they stick around I expect cool things to continue to come out.
  6. There are some new developments in the WordPress world, namely that I think it would be possible to add support for databases other than MySQL without changing every $wpdb call or breaking any plugins or themes. It won’t be easy, but the coolest stuff seldom is.

Anyway, I now really wish I had agreed to keynote at the MySQL User Conference starting today. 🙂

Categories
WordPress

I Heart Blogging design contest

You may know of Infectious as those guys who make the cool vinyl decals for cars. Now they have laptop and iPhone skins, too, and WordPress has partnered with Infectious for the launch with the “I <3 Blogging” contest.

The winners will be chosen by Derek Powazek, Matt Thomas, Team Infectious, and yours truly, and the prizes are sweet. If you nab the grand prize, your design will be printed on laptop and iPhone skins that will be sold in the Infectious store. You’ll also get a cut of the profit from their sales, $400 cash, some WordPress schwag, and $400 to spend on merchandise in the Infectious store.

The contest ends March 31, so hop on Photoshop or Illustrator and use your design chops to show us why you love blogging. The theme is completely open to interpretation, so feel free to get creative. You can submit your creations and vote on others here. You might also want to check out the official WordPress logos and graphics because friends don’t let friends use the incorrect WP logo. 😉

As a final bonus, I’ll be putting the winning design on my next laptop, so it’ll get exposure all over the world. (Last year I spoke in over 35 cities across 6 continents.) Enter your design here.

Categories
WordPress

2.7

WordPress 2.7 “Coltrane” is live to the world. So many people put so much into this release, all I can really say is “thank you.”

Check out the release video:

Categories
WordPress

Scoble Interviews

I had the pleasure of chatting with Robert Scoble last week. In addition to him getting me to sign up for FriendFeed, we chatted a bit on camera about social media, the future of blogs, advertising, and of course WordPress.

Here’s part one, at 21 minutes.

Here’s part two, at 17 minutes.

Thanks to Robert for taking the time out to chat, as always it was a pleasure.

Categories
WordPress

WordCamp San Francisco 2008 Photos

Adam Tow got some great photos at WordCamp. Update: Here are mine. See also:

What about mine? Not quite yet.

Categories
WordPress

2.6 by the numbers

Now that we’re now 10 days into the release of version 2.6 of WordPress, it’d be interesting to look at a few of the numbers around it.

  • There have been around 23 thousand downloads per day. (Of just the English version.)
  • According to the update system there are 201 thousand blogs using 2.6 already.
  • That’s about 9% of all known WordPress.org blogs in 10 days.
  • The video in the announcement post has been viewed 665,080 times.
  • There have been over 300 themes submitted to the new Theme directory, which launched just 6 days ago.
  • In the same period (10 days) there were 579,871 downloads of 2,527 plugins.

I imagine 2.6 adoption will pick up after the 2.6.1 release — a lot of people wait for the .1 before upgrading.

How are we celebrating? By working on 2.7!

It should be a fun release both for the features we have planned and also because it might incorporate some of the aspects of Crazyhorse, our experimental bizarro world dev branch which we’re laser-eye-testing in NYC next week. (700 blogs are running 2.7 already.)

Categories
WordPress

SecurityFocus SQL Injection Bogus

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

Categories
WordPress WordPress MU

Backing BuddyPress

Some of you may remember when I wrote about Chickspeak, a WordPress MU-based social network. Andy Peatling, the fellow behind it, later decided to recreate the work he had done as an Open Source effort he called BuddyPress. And it was good.

Today I’m happy to announce that Andy has joined Automattic full-time and we’ll be taking the BuddyPress project under our wing. We will grow it and support it the same way we support WordPress, MU, bbPress, Akismet, and more.

It’s clear that the future is social. Connections are key. WordPress MU is a platform which has shown itself to be able to operate at Internet-scale and with BuddyPress we can make it friendlier. Someday, perhaps, the world will have a truly Free and Open Source alternative to the walled gardens and open-only-in-API platforms that currently dominate our social landscape.

See also: DiSo, GigaOM, Techcrunch, Mashable, Techvibes.

Categories
WordPress

Scriblio for Libraries

Scriblio MATC Project Final Report. Scriblio is a system for helping libraries and is built on top of WordPress. The article describes some of the troubles with the close association with WordPress:

Shortly after the Mellon Foundation announced the award to the Scriblio project, the WordPress core developers reversed their longstanding position on tags and announced that the next release would include tag support. This is significant because metadata such as author or subject is functionally equivalent to tags in Scriblio, and much of the Scriblio code was devoted to managing those tags.

It also describes some of the benefits:

[T]he relationship between the open source WordPress community and commercial participants, including Automattic, the commercial entity that operates WordPress.com, has proven itself to deliver real benefits to all. […]

And the Scriblio project has enjoyed opportunities to contribute to the WordPress community as well. […] One recent example is Ticket #5649, where a change proposed by Scriblio was committed to the baseline code within an hour of its submission.

Overall, a good read on building a project on top of WordPress, helping an under-served community, and giving back by strengthening the underlying platform.

Categories
WordPress

On WP Security

Wincent Colaiuta has no problem throwing flames at WordPress, but doesn’t see fit to enable comments. (Apparently disabled to make Movable Type more secure.) His table-layout blog isn’t too notable but it got linked from Daring Fireball so a lot of people saw his article trying to draw the line between a routine point release and encouraging people to never use WordPress on the public internet. Here are a few points for thought in response:

  • The SQL problem in 2.2 requires both registration to be enabled (off by default) and the blog to be upgraded to 2.2. It is a serious problem but I’ve heard of fewer than 5 exploits from the flaw. Even if you assume there are 100 blogs for every one we heard about, that’s still an incredibly small percentage of the millions of WordPresses out there, especially considering, as Wincent points out, the problem has been in the public for a while now.
  • Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
  • Wincent digs up the server crack that modified the files of 2.1.1 for a few days. Ignoring the fact that it was a server issue and had nothing to do with WordPress the software, we actually had NO reported exploits of the problem. (Though I’m sure there are at least a handful out there with problems, it wasn’t enough to hit our radar.) Despite that we took a hit and publicized the issue as much as we could to get the word out.
  • Also about 2.1.1, the problem was found through someone proactively auditing the codebase.
  • Finally Wincent says of WP “[a]nd if you insist on installing it, then you need to watch the trac like a hawk.” You would think complete transparency of the problems (it was on our bug tracker and mailing list) would be a good thing, especially considering the software Wincent uses doesn’t have a bug tracker, and the only way to submit a bug is through a contact form.

We can and do review new code for problems, and pick the vast majority up before any releases. I think the real issue though is not that WP has bugs which are sometimes security related, which all software not written by djb does, but that the mechanisms for updating complex web software are a pain. Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.

Making notification better and upgrading more painless for people not lucky enough to be on a host like that are problems with some very clever minds on them, and I’m confident that we’ll have good progress toward each in the next major release of WP.

Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing. I truly believe talking about these things in the open is the best way to address them.

In some ways it’s a good problem to have. When a product is popular, not only does it have more eyes from security professionals on it, but any problems garner a level of attention which is not quite warranted by the frequency of the general event, like Angelina Jolie having a baby. There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

Categories
WordPress

Plugin Authors Get No Love

One interesting thing in the whole adware themes discussion is the people claiming if we require GPL it’ll kill the number and quality of themes out there, that the best themes have ads in them, that they couldn’t make themes if they weren’t getting the SEO gaming money, et cetera and so on.

There are two types of WordPress add-ons, themes and plugins. Are there any similarities?

  1. Plugins are just as hard or harder to write and design as themes.
  2. All plugins in our directory are required to be GPL or compatible.
  3. Plugin authors almost never get links on the front-end of a blog.
  4. I’m not aware of any plugins that bundle advertising with the intention of gaming search engines, like themes are.

Despite all of this, the plugin ecosystem around WordPress is flourishing, especially since we made the plugin directory, and hundreds have been added. It seems any of the doomsday scenarios people are expecting to happen to themes would have happened to plugins years ago. If ad-bundled themes really are better, a suggestion I find insulting to all those who volunteer their time for WordPress, then maybe they should start their own theme directory with only adware themes and they should get a ton of traffic.

(And just to respond to the title, I think plugin authors get tons of love, and hopefully we can help them get more with upcoming revisions to the plugin directory.)

Categories
Asides WordPress

NYC Meetup Update

Based on the comments on the last entry I think we’re going to kick off the April 11 meetup at Bryant Park at 6:30, and if needed migrate for drinks at 8 PM when the park closes to someplace like Heartland Brewery on West 43rd. How’s that sound to the New Yorkers in the audience? Update: Scott says “The northwest corner of the park is the most accessible (south of the Starbucks, east of the Verizon shop). Plus that’s where the coffee is.” That’s where we’ll meet. I’ll be in a beige overcoat and green shirt.

Categories
Asides WordPress

McAfee CEO

The new CEO of McAfee is blogging on their WordPress blog, very cool to see another CEO blogging. Hat Tip: Robert Accettura.

Categories
WordPress

71Miles on WP Framework

71Miles is a cool new travel site with a twist PM readers will find interesting — it’s built with WordPress. How? Adam Rugel writes “The nuts and bolts of our site is WordPress, it’s our foundation and content management system. We extended it to manage our content feeds: Google Calendar XML for the events calendar, map, and mobile product and Kayak’s brand new hotel API for the hotel deals. We tricked out the custom fields in WP to do a lot the work for us, and we’ve got the categories set up so that we can scale to roll out dozens of editions (NYC, LA, Chicago…). At any rate we’re loving the platform…” Definitely one of the coolest uses of the WordPress framework I’ve seen in a while.